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Abstract.  Recently,  pushdown  systems  (PDSs)  have  been  extended  to  weighted  PDSs,  in 
which  each  transition  is  labeled  with  a  value,  and  the  goal  is  to  determine  the  meet-over-all- 
paths  value  (for  paths  that  meet  a  certain  criterion).  This  paper  shows  how  weighted  PDSs 
yield  new  algorithms  for  certain  classes  of  interprocedural  dataflow-analysis  problems. 

1  Introduction 

This  paper  explores  a  connection  between  interprocedural  dataflow  analysis  and  model 
checking  of  pushdown  systems  (PDSs).  Various  connections  between  dataflow  analysis 
and  model  checking  have  been  established  in  past  work,  e.g.,  [6, 9, 23, 27, 28];  however, 
with  one  exception  ([9]),  past  work  has  shed  light  only  on  the  relationship  between 
model  checking  and  bit-vector  dataflow-analysis  problems,  such  as  live-variable  anal¬ 
ysis  and  partial-redundancy  elimination.  In  contrast,  the  results  presented  in  this  paper 
apply  to  (i)  bit- vector  problems,  (ii)  the  one  non-bit- vector  problem  addressed  in  [9],  as 
well  as  (iii)  certain  dataflow-analysis  problems  that  cannot  be  expressed  as  bit-vector 
problems,  such  as  linear  constant  propagation.  In  general,  the  approach  can  be  applied 
to  any  distributive  dataflow-analysis  problem  for  which  the  domain  of  transfer  functions 
has  no  infinite  descending  chains.  (Safe  solutions  are  also  obtained  for  problems  that 
are  monotonic  but  not  distributive.) 

The  paper  makes  use  of  a  recent  result  that  extends  PDSs  to  weighted  PDSs,  in 
which  each  transition  is  labeled  with  a  value,  and  the  goal  is  to  determine  the  meet- 
over-all-paths  value  (for  paths  that  meet  a  certain  criterion)  [25].  The  paper  shows  how 
weighted  PDSs  yield  new  algorithms  for  certain  classes  of  interprocedural  dataflow- 
analysis  problems.  These  ideas  are  illustrated  by  the  application  of  weighted  PDSs  to 
linear  constant  propagation. 

The  contributions  of  the  paper  can  be  summarized  as  follows; 

-  Conventional  dataflow-analysis  algorithms  merge  together  the  values  for  all  states 
associated  with  the  same  program  point,  regardless  of  the  states’  calling  context. 
With  the  dataflow-analysis  algorithm  obtained  via  weighted  PDSs,  dataflow  queries 
can  be  posed  with  respect  to  a  regular  language  of  stack  configurations.  Conven¬ 
tional  merged  dataflow  information  can  also  be  obtained  by  issuing  appropriate 
queries;  thus,  the  new  approach  provides  a  strictly  richer  framework  for  interproce¬ 
dural  dataflow  analysis  than  is  provided  by  conventional  interprocedural  dataflow- 
analysis  algorithms. 

-  Because  the  algorithm  for  solving  path  problems  in  weighted  PDSs  can  provide  a 
witness  set  of  paths,  it  is  possible  to  provide  an  explanation  of  why  the  answer  to  a 
dataflow  query  has  the  value  reported. 

The  algorithms  described  in  the  paper  have  been  implemented  in  a  library  that  solves 
reachability  problems  on  weighted  PDSs  [24].  The  library  has  been  used  to  create  proto¬ 
type  implementations  of  context-sensitive  interprocedural  dataflow-analysis  algorithms 
for  linear  constant  propagation  [22]  and  the  detection  of  affine  relationships  [16].  The 
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library  is  available  on  the  Internet,  and  may  be  used  by  third  parties  in  the  creation  of 
dataflow-analysis  tools. 

The  remainder  of  the  paper  is  organized  as  follows:  Section  2  introduces  terminol¬ 
ogy  and  notation  used  in  the  paper,  and  defines  the  generalized-pushdown-reachability 
(GPR)  framework.  Section  3  presents  the  algorithm  from  [25]  for  solving  GPR  prob¬ 
lems.  Section  4  presents  the  new  contribution  of  this  paper — the  application  of  the  GPR 
framework  to  interprocedural  dataflow  analysis.  Section  5  discusses  related  work.  Ap¬ 
pendix  A  describes  an  enhancement  to  the  algorithm  from  Section  3  to  generate  a  wit¬ 
ness  set  for  an  answer  to  a  GPR  problem. 

2  Terminology  and  Notation 

In  this  section,  we  introduce  terminology  and  notation  used  in  the  paper. 

2.1  Pushdown  Systems 

A  pushdown  system  is  a  transition  system  whose  states  involve  a  stack  of  unbounded 
length. 

Definition  1.  A  pushdown  system  is  a  triple  V  =  (P  P,  A),  where  P  and  P  are  finite 
sets  called  the  control  locations  and  the  stack  alphabet,  respectively.  A  configuration 

ofV  is  a  pair  {p,  w),  where  p  £  P  and  w  €  P*.  A  contains  a  finite  number  of  rules 
of  the  form  (p,y)  c-4-p  (p',w),  where  p,p'  €  P,  7  €  P,  and  w  €  P*,  which  define  a 
transition  relation  =!>  between  configurations  ofV  as  follows: 

If  r  =  {p,  7)  W-p  ip' ,  w),  then  (p,  yw')  =^=k>-p  ip' ,  ww')  for  all  w'  €  P*. 

We  write  c  =>-p  c'  to  express  that  there  exists  some  rule  r  such  that  c  c' ;  we 

omit  the  index  V  ifV  is  understood.  The  reflexive  transitive  closure  of=>  is  denoted  by 
=!■*.  Given  a  set  of  configurations  C,  we  define  pre*  (C)  :=  {  c!  \  3c  €  C :  c!  c  } 
and  post*(C )  :=  {  c'  |  3c  €  C:  c  =>*  c'  }  to  be  the  sets  of  configurations  that  are 
reachable — backwards  and  forwards,  respectively — from  elements  of  C  via  the  transi¬ 
tion  relation. 

Without  loss  of  generality,  we  assume  henceforth  that  for  every  (p ,  7)  t->  (p1,  w)  we 
have  |w;|  <2;  this  is  not  restrictive  because  every  pushdown  system  can  be  simulated 
by  another  one  that  obeys  this  restriction  and  is  larger  by  only  a  constant  factor;  e.g., 
see  [13], 

Because  pushdown  systems  have  infinitely  many  configurations,  we  need  some 
symbolic  means  to  represent  sets  of  configurations.  We  will  use  finite  automata  for 
this  purpose. 

Definition  2.  Let  V  =  (P,  P,  Zi)  be  a  pushdown  system.  A  V -automaton  is  a  quintuple 
A  =  (<2,  P,  — »,P,  F)  where  Q  D  P  is  a  finite  set  of  states,  — >  C  Q  x  P  x  Q  is  the  set 
of  transitions,  and  F  C  Q  are  the  final  states.  The  initial  states  of  A  are  the  control 
locations  P.  A  configuration  (p,  w)  is  accepted  by  A  if  p  qfor  some  final  state  q. 
A  set  of  configurations  ofV  is  regular  if  it  is  recognized  by  some  V -automaton.  (We 
frequently  omit  the  prefix  V  and  simply  refer  to  “automata”  ifV  is  understood.) 

A  convenient  property  of  regular  sets  of  configurations  is  that  they  are  closed  un¬ 
der  forwards  and  backwards  reachability.  In  other  words,  given  an  automaton  A  that 
accepts  the  set  C ,  one  can  construct  automata  Apre *  and  Apost*  that  accept  pre*(C ) 
and  post*(C),  respectively.  The  general  idea  behind  the  algorithm  for  pre*  [3, 8]  is  as 
follows: 


Let  P  =  ( P ,  F,  H)  be  a  pushdown  system  and  A  =  (Q,  F,  — »o,  P,  F)  be  a  P- 
automaton  accepting  a  set  of  configurations  C .  Without  loss  of  generality  we  assume 
that  A  has  no  transition  leading  to  an  initial  state.  pre*(C )  is  obtained  as  the  language 
of  an  automaton  Apre*  =  ( Q ,  F.  — P,  F)  derived  from  A  by  a  saturation  procedure. 
The  procedure  adds  new  transitions  to  A  according  to  the  following  rule: 

If  (P;  7)  ^  { p',w )  and  p'  q  in  the  current  automaton,  add  a  transition 

(P,  1,Q)- 

In  [8]  an  efficient  implementation  of  this  procedure  is  given,  which  requires 
C>(|Q|2|Z\|)  time  and  0(\Q\  |Z\|  +  |— »o|)  space.  Moreover,  another  procedure  (and  im¬ 
plementation)  are  presented  for  constructing  a  P-automaton  that  accepts  post*(C).  In 
Section  3,  we  develop  generalizations  of  these  procedures.  (We  present  these  extensions 
for  pre*;  the  same  basic  idea  applies  to  post* ,  but  is  omitted  for  lack  of  space.) 

2.2  Weighted  Pushdown  Systems 

A  weighted  pushdown  system  is  a  pushdown  system  whose  rules  are  given  values  from 
some  domain  of  weights.  The  weight  domains  of  interest  are  the  bounded  idempotent 
semirings  defined  in  Definition  3. 

Definition  3.  A  bounded  idempotent  semiring  is  a  quintuple  (D,  0,  0, 1),  where 

D  is  a  set,  0  and  1  are  elements  of  D,  and  0  (the  combine  operation )  and  Cg  (the  extend 
operation )  are  binary  operators  on  D  such  that 

1.  (D,  0)  is  a  commutative  monoid  with  0  as  its  neutral  element,  and  where  0  is 
idempotent  (i.e.,for  all  a  &  D,  a  0  a  =  a). 

2.  (D,  (§3)  is  a  monoid  with  the  neutral  element  1. 

3.  <g  distributes  over  0,  i.e.for  all  a,b,c  G  D  we  have 

a  g  (b  0  c)  =  (a  ®  b)  0  (a  0  c)  and  (a  0  b)  g  c  =  (a  g  c)  0  (b  g  c)  . 

4.  0  is  an  annihilator  with  respect  to  g,  i.e.,for  all  a  G  D,  a  g  0  =  0  =  0  g  a. 

5.  In  the  partial  order  C  defined  by:  Va,  b  G  D,  aC.b  iff  a®b  =  a,  there  are  no 
infinite  descending  chains. 

Definition  4.  A  weighted  pushdown  system  is  a  triple  W  =  (P,  S ,  /)  such  that  P  = 
(P,  P,  A)  is  a  pushdown  system,  S  =  ( D ,  0,  <g,  0, 1)  is  a  bounded  idempotent  semiring, 
and  / :  A  — »  D  is  a  function  that  assigns  a  value  from  D  to  each  rule  offP. 

Let  a  €  A*  be  a  sequence  of  rules.  Using  /,  we  can  associate  a  value  to  <r,  i.e., 
if  a  =  [ri, . . . ,  Tk],  then  we  define  v(o)  :=  f(r  1)  <g  . . .  <g  /(ffe).  Moreover,  for  any 
two  configurations  c  and  c'  of  P,  we  let  path(c ,  c')  denote  the  set  of  all  rule  sequences 
[ri , . . . , r^]  that  transform c  into  c',  i.e.,  c  -ri^>  •  •  •  c' 

Definition  5.  Given  a  weighted  pushdown  system  W  =  (P,  S,  /),  where  V  =  (P,  P,  A), 
and  a  regular  set  C  CPx  F*,  the  generalized  pushdown  reachability  (GPR)  prob¬ 
lem  is  to  find  for  each  c  £  P  x  F*; 

-  S(c)  :=  ©{v(<t)  |  o  G  path(c,c'),c'  G  C}; 

-  a  witness  set  of  paths  oj(c )  C  |J  path(c,  c')  such  that  0  v(o)  =  5(c). 

c'  GC  <tEw(c) 

Notice  that  the  extender  operation  ®  is  used  to  calculate  the  value  of  a  path.  The 
value  of  a  set  of  paths  is  computed  using  the  combiner  operation  0.  In  general,  it  is 
enough  for  ui(c)  to  contain  only  a  finite  set  of  paths  whose  values  are  minimal  elements 
of  -O(ct)  I  CT  G  path(c ,  c'),  c'  G  C  },  i.e.,  minimal  with  respect  to  the  partial  order  C 
defined  in  Definition  3(5). 


3  Solving  the  Generalized  Pushdown  Reachability  Problem 

This  section  presents  the  algorithm  from  [25]  for  solving  GPR  problems. 

For  the  entire  section,  let  W  denote  a  fixed  weighted  pushdown  system:  W  = 
(V,  <S,  /),  where  V  =  ( P ,  P.  A)  and  S  =  ( D ,  ©,  <g>,  0, 1);  let  C  denote  a  fixed  reg¬ 
ular  set  of  configurations,  represented  by  a  P-automaton  A  =  ( Q ,  P.  — »o,  P,  F)  such 
that  A  has  no  transition  leading  to  an  initial  state. 

The  GPR  problem  is  a  multi-target  meet-over-all-paths  problem  on  a  graph.  The 
vertices  of  the  graph  are  the  configurations  of  V,  and  the  edges  are  defined  by  "P’s 
transition  relation.  The  target  vertices  are  the  vertices  in  C .  Both  the  graph  and  the  set 
of  target  vertices  can  be  infinite,  but  have  some  built-in  structure  to  them;  in  particular, 
C  is  a  regular  set. 

Because  the  GPR  problem  concerns  infinite  graphs,  and  not  just  an  infinite  set  of 
paths,  it  differs  from  other  work  on  meet-over-all-paths  problems.  As  in  the  ordinary 
pushdown-reachability  problem  [3, 8],  the  infinite  nature  of  the  (GPR)  problem  is  ad¬ 
dressed  by  reporting  the  answer  in  an  indirect  fashion,  namely,  in  the  form  of  an  (anno¬ 
tated)  automaton.  An  answer  automaton  without  its  annotations  is  identical  to  an  Apre* 
automaton  created  by  the  algorithm  of  [8],  For  each  c  €  pre*(C ),  the  values  of  6(c ) 
and  oj(c)  can  be  read  off  from  the  annotations  by  following  all  accepting  paths  for  c  in 
the  automaton;  for  c  #  pre*(C),  the  values  of  6(c)  and  u>(c)  are  0  and  0,  respectively. 
The  algorithm  is  presented  in  several  stages; 

-  We  first  define  a  language  that  characterizes  the  sequences  of  transitions  that  can 
be  made  by  a  pushdown  system  P  and  an  automaton  A  for  C. 

-  We  then  turn  to  weighted  pushdown  systems  and  the  GPR  problem.  We  use  the 
language  characterizations  of  transition  sequences,  together  with  previously  known 
results  on  a  certain  kind  of  grammar  problem  [15, 17]  to  obtain  a  solution  to  the 
GPR  problem. 

-  However,  the  solution  based  on  grammars  is  somewhat  inefficient;  to  improve  the 
performance,  we  specialize  the  computation  to  our  case,  ending  up  with  an  algo¬ 
rithm  for  creating  an  annotated  automaton  that  is  quite  similar  to  the  pre*  algorithm 
from  [8]. 

3.1  Languages  that  Characterize  Transition  Sequences 

In  this  section,  we  make  some  definitions  that  will  aid  in  reasoning  about  the  set  of  paths 
that  lead  from  a  configuration  c  to  configurations  in  a  regular  set  C.  We  call  this  set  the 
reachability  witnesses  for  c  £  Pxf*  with  respect  to  C:  ReachabilityWitnesses(c,  C)  = 

Uc'ec  I)aih(c- c')- 

It  is  convenient  to  think  of  PDS  V  and  P- automaton  A  (for  C)  as  being  combined  in 
sequence,  to  create  a  combined  PDS,  which  we  will  call  VA.  VA's  states  are  P  U  Q  = 
Q ,  and  its  rules  are  those  of  V,  augmented  with  a  rule  { q ,  7)  { q c)  for  each  transition 
q  -Pp  q'  in  Pi’s  transition  set  — >o- 

We  say  that  a  configuration  c  =  (p,  7172  •  •  •  Jn)  is  accepted  by  VA  if  there  is  a 
path  to  a  configuration  {?/,  e)  such  that  qj  €  F.  Note  that  because  A  has  no  transitions 
leading  to  initial  states,  PPl’s  behavior  during  an  accepting  run  can  be  divided  into  two 
phases — transitions  during  which  VA  mimics  P,  followed  by  transitions  during  which 
VA  mimics  A:  once  VA  reaches  a  state  in  (Q  —  P),  it  can  only  perform  a  sequence  of 
pops,  possibly  reaching  a  state  in  F.  If  the  run  of  VA  does  reach  a  state  in  P,  in  terms 
of  the  features  of  the  original  V  and  Pi,  the  second  phase  corresponds  to  automaton  Pi 
accepting  some  configuration  c'  that  has  been  reached  by  P,  starting  in  configuration  c. 
In  other  words,  VA  accepts  a  configuration  c  iff  c  G  pre*(C). 

The  first  language  that  we  define  characterizes  the  pop  sequences  of  VA.  A  pop 
sequence  for  q  €  Q.  7  €  P,  and  q1  €  Q  is  a  sequence  of  Ppl’s  transitions  that  (i) 


starts  in  a  configuration  (q,  7 w),  (ii)  ends  in  a  configuration  (q1 ,  w ),  and  (iii)  through¬ 
out  the  transition  sequence  the  stack  is  always  of  the  form  w'w  for  some  non-empty 
sequence  w'  €  r+,  except  in  the  last  step,  when  the  stack  shrinks  to  w.  Because  w 
remains  unchanged  throughout  a  pop  sequence,  we  need  only  consider  pop  sequences 
of  a  canonical  form,  i.e.,  those  that  (i)  start  in  a  configuration  {q,  7),  and  (ii)  end  in  a 
configuration  {</',  e).  The  pop  sequences  for  a  given  q,  7,  and  q'  can  be  characterized  by 
the  complete  derivation  trees3  derived  from  nonterminal  PS(q^,qiy  using  the  grammar 
shown  in  Figure  1 . 


|  Production 

for  each 

(!)  P5(9,7,9') 

— y  t 

q  —A  q'  E  — >0 

(2)  P5(Pi7iP,) 

— y  c 

(P,  7)  ^  (p',e)  €  A,  p  E  P 

(3)  PS{Vjl)q) 

(p,  7)  ^  < pf  y')  e  A,  p  e  P,  q  e  Q 

(4)  PS(p^  Q) 

PS(p'tl'  ,q')  PS(q’^",q) 

(p,  7)  <-»  Ipf  7*7" )  E  A,  pE  P,  q,  q'  E  Q 

Fig. 1.  A  context-free  language  for  the  pop  sequences  of  'PA,  and  the  'PA  rules  that 
correspond  to  each  production. 


Theorem  1.  PDS  VA  has  a  pop  sequence  for  q,  7,  and  q'  iff  nonterminal  PS^^^i^ 
of  the  grammar  shown  in  Figure  1  has  a  complete  derivation  tree.  Moreover,  for  each 
derivation  tree  with  root  PS(q%1%qi),  a  preorder  listing  of  the  derivation  tree’s  production 
instances  (where  Figure  1  defines  the  correspondence  between  productions  and  PDS 
rules )  gives  a  sequence  of  rules  for  a  pop  sequence  for  q,  7,  and  q' ;  and  every  such 
sequence  of  rules  has  a  derivation  tree  with  root  PS(q>ltqiy 

Proof  (Sketch).  To  shrink  the  stack  by  removing  the  stack  symbol  on  the  left-hand 
side  of  each  rule  of  VA,  there  must  be  a  transition  sequence  that  removes  each  of 
the  symbols  that  appear  in  the  stack  component  of  the  rule’s  right-hand  side.  In  other 
words,  a  pop  sequence  for  the  left-hand-side  stack  symbol  must  involve  a  pop  sequence 
for  each  right-hand-side  stack  symbol. 

The  left-hand  and  right-hand  sides  of  the  productions  in  Figure  1  reflect  the  pop- 
sequence  obligations  incurred  by  the  corresponding  rule  of  VA. 

To  capture  the  set  ReachabilityWitnesses((p,  7172  ■  ■  .7 „),  C ),  where  C  is  recog¬ 
nized  by  automaton  A,  we  define  a  context-free  language  given  by  the  set  of  produc¬ 
tions 

Acceptingffiyi  ■  ■  -7n](P,</)  ~ f  Pi^(p, 71,91)  Pl^(9i, 72,92)  ■■■  ^>,^(9n-i, 7,1,9) 

for  each  q^  €  Q,  for  1  <  i  <  n  —  1;  and  q  €  F 
Accepted[ 7172  . . .  7 „]  (p)  -»  Accepting[ 7172  . . .  7 „]  (Pi?)  for  each  q  €  F 

This  language  captures  all  ways  in  which  PDS  VA  can  accept  (p,  7172  ■  ■  -  In)'-  the 
set  of  reachability  witnesses  for  (p.  7172  ■  ■  -7n  )  corresponds  to  the  complete  deriva¬ 
tion  trees  derivable  from  nonterminal  Accepted[ 7172  . .  -7n](p)-  The  subtree  rooted  at 
PS(qi _ i,7i,9;)  gives  the  pop  sequence  that  VA  performs  to  consume  symbol  7 j.  (If  there 
are  no  reachability  witnesses  for  (p ,  7172  . . .  7„),  there  are  no  complete  derivation  trees 
with  root  Accepted[ 7172  . . .  7„]  (p) .) 

3.2  Weighted  PDSs  and  Abstract  Grammar  Problems 

Turning  now  to  weighted  PDSs,  we  will  consider  the  weighted  version  of  VA,  denoted 
by  WA,  in  which  weighted  PDS  W  is  combined  with  *4,  and  each  rule  { q ,  7)  c->-  (q' ,  e) 

3  A  derivation  tree  is  complete  if  it  has  is  a  terminal  symbol  at  each  leaf. 


that  was  added  due  to  transition  q  -Ay  q'  in  4’s  transition  set  —>o  is  assigned  the  weight 
1. 

We  are  able  to  reason  about  semiring  sums  (©)  of  weights  on  the  paths  that  are 
characterized  by  the  context-free  grammars  defined  above  using  the  following  concept: 

Definition  6.  [15,17]  Let  (S,  n)  be  a  semilattice.  An  abstract  grammar  over  (S,  n) 
is  a  collection  of  context-free  grammar  productions,  where  each  production  9  has  the 
form 

X0  — >  ge  (Xi , . . . ,  Xk) . 

Parentheses,  commas,  and  gg  (where  6  is  a  production)  are  terminal  symbols.  Every 
production  9  is  associated  with  a  function  gg:  Sk  — >  S.  Thus,  every  string  a  of  ter¬ 
minal  symbols  derived  in  this  grammar  (i.e.,  the  yield  of  a  complete  derivation  tree) 
denotes  a  composition  of  functions,  and  corresponds  to  a  unique  value  in  S,  which  we 
call  valo(a)  (or  simply  val(a)  when  G  is  understood).  Let  Lq(X)  denote  the  strings 
of  terminals  derivable  from  a  nonterminal  X.  The  abstract  grammar  problem  is  to 
compute,  for  each  nonterminal  X,  the  value 

moiX)  :=  n  valo(a). 

aeLG(X) 

Because  the  complete  derivation  trees  with  root  Accept ed[ 7172  . .  -7n](p)  encode 
the  transition  sequences  by  which  WA  accepts  (p,  7172  ■  ■  .7 „),  to  cast  the  GPR  as  a 
grammar  problem,  we  merely  have  to  attach  appropriate  production  functions  to  the 
productions  so  that  for  each  rule  sequence  <7,  and  corresponding  derivation  tree  (with 
yield)  a,  we  have  v(o)  =  vala(ot).  This  is  done  in  Figure  2:  note  how  functions  <72.  <73, 
and  (74  place  f(r)  at  the  beginning  of  the  semiring-product  expression;  this  corresponds 
to  a  preorder  listing  of  a  derivation  tree’s  production  instances  (cf.  Theorem  1). 

Production  for  each 

(1)  PS(q,-y,q')  9l(e)  (9,1,0.')  6  “ >0 

51  =  1 

(2)  pS(p,i,p-)  02(e)  r  =  {p, 7)  (p',s)  e  A,  pe  P 

92  =  f(r) 

(3)  PS(p,-i,q)  ~^93 (P’V.y.g)}  r  =  (p,j)  (p',i')  e  A,  p  e  P,  q  E  Q 

g3  =  \a.f(r)  ®  a 

(4)  PS{p j7j9)  ->  g4(T4p'.7',9')  =  P‘S(9',7",9))  r  =  ( P,T )  ^  (P',7'7 ")  e  A,  pe  P,  q,q'  eQ 

04  =  Xa.\b.f(r)  <g>  a  ®  ft 

(5)  Accepting^  172  ■  •  -ln](p,q)  9.,  (P5(p,-n  .y,  J  ;  P5(q,  ,q.2  J  ;  ■  ■  ■  ,PS(q„-i,y„,q)) 

qi  G  Q,  for  1  <  i  <  n  —  1,  and  q  e  F 

06  =  A01.A02  •  •  •  \an.a\  ®  a.2  ®  ■  ■  ■  (g)  an 

(6)  Accepted^ 72  . . .  7„](p)  -}•  gs  ( Accepting^ 172  . . .  ln\P,q)) 

q  e  F 

_ 06  =  Xa.a _ 

Fig.  2.  An  abstract  grammar  problem  for  the  GPR  problem. 

To  solve  the  GPR  problem,  we  appeal  to  the  following  theorem: 

Theorem  2.  [15, 17]  The  abstract  grammar  problem  for  G  and  (S',  n)  can  be  solved 
by  an  iterative  computation  that  finds  the  maximum  fixed  point  when  the  following  con¬ 
ditions  hold: 

1.  The  semilattice  (S,  fl)  has  no  infinite  descending  chains. 


2.  Every  production  function  gg  in  G  is  distributive,  i.e.. 


s(  n  n  )  =  n  g{x , 

*i€ii  «feG-/fc  X  •••X/fc 


1  5  •  ■  •  3  J 


/or  arbitrary,  non-empty,  finite  index  sets  I\ , . . . ,  /&. 

5.  Every  production  function  gg  in  G  is  strict  in  0  in  each  argument. 


The  abstract  grammar  problem  given  in  Figure  2  meets  the  conditions  of  Theorem  2 
because 

1.  By  Definition  3,  the  ©  operator  is  associative,  commutative,  and  idempotent;  hence 
(D.  ©)  is  a  semilattice.  By  Definition  3(5),  ( D ,  ©)  has  no  infinite  descending 
chains. 

2.  The  distributivity  of  each  of  the  production  functions  g i,  . . gfi  over  arbitrary, 
non-empty,  finite  index  sets  follows  from  repeated  application  of  Definition  3(3). 

3.  Production  functions  g$,  . . .,  g(i  are  strict  in  0  in  each  argument  because  0  is  an 
annihilator  with  respect  to  ®  (Definition  3(4)).  Production  functions  g\  and  g->  are 
constants  (i.e.,  functions  with  no  arguments),  and  hence  meet  the  required  condition 
trivially. 

Thus,  one  algorithm  for  solving  the  GPR  problem  for  a  given  weighted  PDS  W,  initial 
configuration  (p,  7172  . .  .7 „),  and  regular  set  C  (represented  by  automaton  A)  is  as 
follows: 

-  Create  the  combined  weighted  PDS  W A. 

-  Define  the  corresponding  abstract  grammar  problem  according  to  the  schema  shown 
in  Figure  2. 

-  Solve  this  abstract  grammar  problem  by  finding  the  maximum  fixed  point  using 
chaotic  iteration:  for  each  nonterminal  X ,  the  fixed-point-finding  algorithm  main¬ 
tains  a  value  l(X),  which  is  the  current  estimate  for  X’s  value  in  the  maximum 
fixed-point  solution;  initially,  all  l(X)  values  are  set  to  0;  l (X )  is  updated  when¬ 
ever  a  value  l(Y )  changes,  for  any  Y  used  on  the  right-hand  side  of  a  production 
whose  left-hand-side  nonterminal  is  X. 

3.3  A  More  Efficient  Algorithm  for  the  GPR  Problem 

The  approach  given  in  the  previous  section  is  not  very  efficient:  for  a  configuration 
{p,  7172  ■  ■  ■  In),  it  takes  @(|Q|n_1  |-Fj)  time  and  space  just  to  create  the  grammar  pro¬ 
ductions  in  Figure  2  with  left-hand-side  nonterminal  Accepting[yi 72  . . .  7 n](P,q)-  How¬ 
ever,  we  can  improve  on  the  algorithm  of  the  previous  section  because  not  all  instan¬ 
tiations  of  the  productions  listed  in  Figure  2  are  relevant  to  the  final  solution;  we  want 
to  prevent  the  algorithm  from  exploring  useless  nonterminals  of  the  grammar  shown  in 
Figure  2. 

Moreover,  all  GPR  questions  with  respect  to  a  given  target-configuration  set  C  in¬ 
volve  the  same  subgrammar  for  the  PS  nonterminals.  As  in  the  (ordinary)  pushdown- 
reachability  problem  [3,8],  the  information  about  whether  a  complete  derivation  tree 
with  root  nonterminal  P5(9)7)g/)  exists  (i.e.,  whether  PS^qn^q^  is  a  productive  nonter¬ 
minal)  can  be  precomputed  and  returned  in  the  form  of  an  (annotated)  automaton  of 
size  0(\ Q |  | A \  +  |->o|)-  Exploring  the  PS  subgrammar  lazily  saves  us  from  having 
to  construct  the  entire  PS  subgrammar.  Productive  nonterminals  represent  automaton 
transitions,  and  the  productions  that  involve  any  given  transition  can  be  constructed 
on-the-fly,  as  is  done  in  Algorithm  1,  shown  in  Figure  3. 

It  is  relatively  straightforward  to  see  that  Algorithm  1  solves  the  grammar  prob¬ 
lem  for  the  PS  subgrammar  from  Figure  2:  workset  contains  the  set  of  transitions 


Algorithm  1 

Input:  a  weighted  pushdown  system  W  =  CP-  S ,  /), 

where  P  =  (P,  P,  A)  and  S  =  ( D ,  ©,  0, 1); 

a  P-automaton  *4  =  (Q,  P,  ->o ,  P,  P)  that  accepts  C, 
such  that  *4  has  no  transitions  into  P  states. 

Output:  a  P-automaton  Apre*  =  (Q-  P,  — >,  P,  F)  that  accepts  pre*(C): 

a  function  /  that  maps  every  ( q ,  7,  q')  G  ©-to  the  value  of  mo  (PS(9)7j?') ) 
in  the  abstract  grammar  problem  defined  in  Figure  2. 

1  procedure  update(t,  r,  T) 

2  begin 

3  — y  :=  — y  U  {f}; 

4  /(f)  :=  /(f)  ®  (/(/•)  0  /(T(l))  ®  . . .  ®  /(T(|T|))); 

5  if  /(f)  changed  value  then  workset  :=  workset  U  {f} 

6  end 

7 

8  — >  :=  — >-0;  l  =  0;  workset  :=  — fo; 

9  for  all  f  €  -»o  do  /(f)  :=  1; 

10  for  all  r  =  (p,  7)  (p',e)  e  zi  do  update((p,  7,p');  P  0); 

1 1  while  workset  ^  0  do 

12  select  and  remove  a  transition  f  =  (g,  7,  g')  from  workset ; 

13  for  all  r  =  (pi,  71)  ( q ,  7)  G  zi  do  update((j>i,  (/)); 

14  for  all  r  =  (pi ,  71 )  c->  (g,  772)  G  Z\  do 

15  forallf'  =  (g',  72, 9")  G  ->  do  update((pi,ji,  q"),r,  (f,  f')); 

16  for  all  r  =  (pi ,  71 )  ‘-f  (p',  727)  G  A  do 

17  iff' =  (p',72,  q)  G  -»  then  update^pi,^,  q'),r,  (f',f)); 

18  return  ((Q,  P, -4-,  P,  P), /) 

Fig.  3.  An  on-the-fly  algorithm  for  solving  the  grammar  problem  for  the  PS  subgrammar 
from  Figure  2. 

(PS  nonterminals)  whose  value  /(f)  has  been  updated  since  it  was  last  considered;  in 
line  8  all  values  are  set  to  0.  A  function  call  update(t,  r,  T)  computes  the  new  value 
for  transition  f  if  f  can  be  created  using  rule  r  and  the  transitions  in  the  ordered  list  T. 
Lines  9-10  process  the  rules  of  types  (1)  and  (2),  respectively.  Lines  1 1-17  represent  the 
fixed-point-finding  loop:  line  13, 15,  and  17  simulate  the  processing  of  rules  of  types  (3) 
and  (4)  that  involve  transition  f  on  their  right-hand  side;  in  particular,  line  4  corresponds 
to  invocations  of  production  functions  and  g,{ .  Note  that  line  4  can  change  /(f)  only 
to  a  smaller  value  (w.r.t.  C).  The  iterations  continue  until  the  values  of  all  transitions 
stabilize,  i.e.,  workset  is  empty. 

From  the  fact  that  Algorithm  1  is  simply  a  different  way  of  expressing  the  grammar 
problem  for  the  PS  subgrammar,  we  know  that  the  algorithm  terminates  and  computes 
the  desired  result.  Moreover,  apart  from  operations  having  to  do  with  /,  the  algorithm 
is  remarkably  similar  to  the  pre*  algorithm  from  [8] — the  only  major  difference  being 
that  transitions  are  stored  in  a  workset  and  processed  multiple  times,  whereas  in  [8] 
each  transition  is  processed  exactly  once.  Thus,  the  time  complexity  increases  from  the 
C>(|Q|2|Z\|)  complexity  of  the  unweighted  case  [8]  by  a  factor  that  is  no  more  than  the 
length  of  the  maximal-length  descending  chain  in  the  semiring. 


Given  the  annotated  pre*  automaton,  the  value  of  6(c)  for  any  configuration  c 
can  be  read  off  from  the  automaton  by  following  all  paths  by  which  c  is  accepted — 
accumulating  a  value  for  each  path — and  taking  the  meet  of  the  resulting  value  set. 
The  value-accumulation  step  can  be  performed  using  a  straightforward  extension  of  a 
standard  algorithm  for  simulating  an  NFA  (cf.  [1,  Algorithm  3.4]). 

Algorithm  1  is  a  dynamic-programming  algorithm  for  determining  6(c) ;  Appendix  A 
describes  how  to  extend  Algorithm  1  to  keep  additional  annotations  on  transitions  so 
that  the  path  set  lo(c)  can  be  obtained. 

4  Applications  to  Interprocedural  Dataflow  Analysis 

This  section  describes  the  application  of  weighted  PDSs  to  interprocedural  dataflow 
analysis,  and  shows  that  the  algorithm  from  Section  3  provides  a  way  to  generalize  pre¬ 
viously  known  frameworks  for  interprocedural  dataflow  analysis  [22, 26].  The  running 
example  used  in  this  section  illustrates  the  application  of  the  approach  to  linear  con¬ 
stant  propagation  [22].  G.  Balakrishnan  has  also  used  the  approach  to  implement  an 
interprocedural  dataflow-analysis  algorithm  due  to  M.  M'uller-Olm  and  H.  Seidl,  which 
determines,  for  each  program  point  n,  the  set  of  all  affine  relations  that  hold  among 
program  variables  whenever  n  is  executed  [16]. 

Interprocedural  Dataflow  Analysis,  Supergraphs,  and  Exploded  Supergraphs 

Interprocedural  dataflow-analysis  problems  are  often  defined  in  terms  of  a  program’s 
supergraph ,  an  example  of  which  is  shown  in  Figure  4.  A  supergraph  consists  of  a 

int  x; 

void  main ( )  { 

n  1 :  x  =  5  ; 
n2, n3 :  p  ( ) ; 

return; 

} 

void  p ( )  { 

n4:  if  (...)  { 

n5 :  x  =  x  +  1; 
n6, n7  :  p  ( ) ; 

n  8  :  x  =  x  —  1  ; 

} 

n9 :  else  if  (...)  { 

nlO :  x  =  x  -  1; 
nll,nl2:  p  ( )  ; 

nl3 :  x  =  x  +  1; 

} 

return; 

} 

Fig.  4.  A  program  fragment  and  its  supergraph.  The  environment  transformer  for  all 
unlabeled  edges  is  Xe.e. 

collection  of  control-flow  graphs — one  for  each  procedure — one  of  which  represents 
the  program’s  main  procedure.  The  flowgraph  for  a  procedure  p  has  a  unique  enter 
node,  denoted  by  ep,  and  a  unique  exit  node,  denoted  by  xp.  The  other  nodes  of  the 


flowgraph  represent  statements  and  conditions  of  the  program  in  the  usual  way,4  except 
that  each  procedure  call  in  the  program  is  represented  in  the  supergraph  by  two  nodes,  a 
call  node  and  a  return-site  node  (e.g.,  see  the  node-pairs  (712, 713),  (716,717),  (tin,  7712) 
in  Figure  4).  In  addition  to  the  ordinary  intraprocedural  edges  that  connect  the  nodes 
of  the  individual  control-flow  graphs,  for  each  procedure  call — represented,  say,  by  call 
node  c  and  return-site  node  r — the  supergraph  contains  three  edges:  an  intraprocedural 
call-to-return-site  edge  from  c  to  r;  an  interprocedural  call-to-enter  edge  from  c  to  the 
enter  node  of  the  called  procedure;  an  interprocedural  exit-to-return-site  edge  from  the 
exit  node  of  the  called  procedure  to  r. 

Definition  7.  A  path  of  length  j  from  node  m  to  node  n  is  a  (possibly  empty)  sequence 
of  j  edges,  which  will  be  denoted  by\e  1 ,  e2, . . . ,  ef\,  such  that  the  source  of  e\  is  m,  the 
target  ofej  is  n,  and  for  all  i,  1  <  i  <  j  —  1,  the  target  of  edge  e*  is  the  source  of  edge 
ei+ 1.  Path  concatenation  is  denoted  by  ||. 

The  notion  of  an  (interprocedurally)  valid  path  is  necessary  to  capture  the  idea  that 
not  all  paths  in  a  supergraph  represent  potential  execution  paths.  A  valid  path  is  one 
that  respects  the  fact  that  a  procedure  always  returns  to  the  site  of  the  most  recent  call. 
We  distinguish  further  between  a  same-level  valid  path — a  path  that  starts  and  ends 
in  the  same  procedure,  and  in  which  every  call  has  a  corresponding  return  (and  vice 
versa) — and  a  valid  path — a  path  that  may  include  one  or  more  unmatched  calls: 

Definition  8.  The  sets  of  same-level  valid  paths  and  valid  paths  in  a  supergraph  are 
defined  inductively  as  follows: 

-  The  empty  path  is  a  same-level  valid  path  (and  therefore  a  valid  path). 

-  Path  p  ||  [e]  is  a  valid  path  if  either  (i)  e  is  not  an  exit-to-return-site  edge  and 
p  is  a  valid  path,  or  (ii)  e  is  an  exit-to-return-site  edge  and  p  =  Ph  ||  [ec]  ||  Pt> 
where  pt  is  a  same-level  valid  path,  p ^  is  a  valid  path,  and  the  source  node  ofec  is 
the  call  node  that  matches  the  return-site  node  at  the  target  of  e.  Such  a  path  is  a 
same-level  valid  path  ifPh  is  also  a  same-level  valid  path. 

Example  1.  In  the  supergraph  shown  in  Figure  4,  the  path 

Zmain  — ►  Til  — *  712  — >  ep  — >  714  — *  Tig  — >  7114  — >  Xp  — >  TI3 

is  a  (same-level)  valid  path;  the  path 

Cmain  ~ Tli  — »  712  — >  ep  — »  714  — »  Tig 

is  a  (non-same-level)  valid  path  because  the  call-to-start  edge  712  — >  ep  has  no  matching 
exit-to-return-site  edge;  the  path 

e main  ->  71 1  — >  712  ep  — >  714  — >  Tig  — >  7li4  — >  Xp  — >  TI7 

is  not  a  valid  path  because  the  exit-to-return-site  edge  xp  ->  717  does  not  correspond  to 
the  preceding  call-to-start  edge  712  — >  ep . 

A  context-sensitive  interprocedural  dataflow  analysis  is  one  in  which  the  analysis  of 
a  called  procedure  is  “sensitive”  to  the  context  in  which  it  is  called.  A  context-sensitive 

4  The  nodes  of  a  flowgraph  can  represent  individual  statements  and  conditions;  alternatively, 
they  can  represent  basic  blocks. 


analysis  captures  the  fact  that  calls  on  a  procedure  that  arrive  via  different  calling  con¬ 
texts  can  cause  different  sets  of  execution  states  to  arise  on  entry  to  a  procedure.  More 
precisely,  the  goal  of  a  context-sensitive  analysis  is  to  find  the  meet-over-all-valid-paths 
value  for  nodes  of  a  supergraph  [14, 22, 26], 

The  remainder  of  this  section  considers  the  Interprocedural  Distributive  Environ¬ 
ment  (IDE)  framework  for  context-sensitive  interprocedural  dataflow  analysis  [22],  It 
applies  to  problems  in  which  the  dataflow  information  at  a  program  point  is  represented 
by  a  finite  environment  ( i.e .,  a  mapping  from  a  finite  set  of  symbols  to  a  finite-height  do¬ 
main  of  values ),  and  the  effect  of  a  program  operation  is  captured  by  an  “environment- 
transformer  function”  associated  with  each  supergraph  edge.  The  transformer  functions 
are  assumed  to  distribute  over  the  meet  operation  on  environments. 

Two  IDE  problems  are  (decidable)  variants  of  the  constant-propagation  problem: 
copy-constant  propagation  and  linear-constant  propagation.  The  former  interprets  as¬ 
signment  statements  of  the  form  x  =  7  and  y  =  x.  The  latter  also  interprets  statements 
of  the  form  y  =  —2  *  x  +  5. 

By  means  of  an  “explosion  transformation”,  an  IDE  problem  can  be  transformed 
from  a  path  problem  on  a  program’s  supergraph  to  a  path  problem  on  a  graph  that 
is  larger,  but  in  which  every  edge  is  labeled  with  a  much  simpler  edge  function  (a 
so-called  “micro-function”)  [22],  Each  micro-function  on  an  edge  d\  — >  (h  captures 
the  effect  that  the  value  of  symbol  d\  in  the  argument  environment  has  on  the  value 
of  symbol  d2  in  the  result  environment.  Figure  5  shows  the  exploded  representations  of 
four  environment-transformerfunctions  used  in  linear  constant  propagation.  Figure  5(a) 


Fig.  5.  The  exploded  representations  of  four  environment-transformer  functions  used  in 
linear  constant  propagation. 

shows  how  the  identity  function  Ae.e  is  represented.  Figure  5(b)-Figure  5(d)  show  the 
representations  of  the  functions  \e.e[x  i->  7],  A e.e[y  e(x)],  and  A e.e[y  i->  —2  * 
e(x)  +  5],  which  are  the  dataflow  functions  for  the  assignment  statements  x  =  7,  y  =  x, 
and  y  =  —  2  *  x  +  5,  respectively.  (The  A  vertices  are  used  to  represent  the  effects  of 
a  function  that  are  independent  of  the  argument  environment.  Each  graph  includes  an 
edge  of  the  form  A  — >  A,  labeled  with  Xv.v;  these  edges  are  needed  to  capture  function 
composition  properly  [22].) 

Figure  6  shows  the  exploded  supergraph  that  corresponds  to  the  program  from  Fig¬ 
ure  4  for  the  linear  constant-propagation  problem. 

From  Exploded  Supergraphs  to  Weighted  PDSs 

We  now  show  how  to  solve  linear  constant-propagation  problems  in  a  context-sensitive 
fashion  by  defining  a  generalized  pushdown  reachability  problem  in  which  the  paths 
of  the  (infinite-state)  transition  system  correspond  to  valid  paths  in  the  exploded  super¬ 
graph  from  ( emaj„ ,  A).  To  do  this,  we  encode  the  exploded  supergraph  as  a  weighted 
PDS  whose  weights  are  drawn  from  a  semiring  whose  value  set  is  the  set  of  functions 

Fic  —  ■[  XI.  T }  U  {A/,  {cl  n  c  |  cl  G  ^ ,  6  G  H ,  and  c  G  1L  . 


Fig.  6.  The  exploded  supergraph  of  the  program  from  Figure  4  for  the  linear  constant- 
propagation  problem.  The  micro-functions  are  all  id,  except  where  indicated. 

Every  function  /  €  Fic  —  {AZ.T}  can  be  represented  by  a  triple  (a,  b,  c),  where  a  €  Z, 
b  €  Z,  c  €  Z and 

f  =  \i  /  T  if*  =  T 

J  [  (a  *  Z  +  6)  n  c  otherwise 

The  third  component  c  is  needed  so  that  the  meet  of  two  functions  can  be  represented. 
(See  [22]  for  details.)  The  semiring  value  0  is  AZ.T ;  the  semiring  value  1  is  the  identity 
function,  whose  representation  is  (1,  0,  T).  We  also  denote  the  identity  function  by  id. 
By  convention,  a  constant  function  XI. b  is  represented  as  (0,  b,  T). 

The  operations  ©  and  ®  are  defined  as  follows: 


(a2,b2,c2)  ®  (ai,6i,ci) 


(a2,b2,c2)  ®  (ai,6i,ci) 


((ai,bi,  Ci  n  c2)  if  ai  =  a2  and  bi  =  b2 
(' ai ,bi,c)  where  c  =  (a±  *  Zo  +  b\ )  n  C\  n  c2 , 

if  Zo  =  (b\  —  62)/(a2  —  ai)  €  Z 
1(1.0  ,  ±)  otherwise 

((at  *  o2),  (oi  *  Z)2  +  6i),  ((oi  *c2  +  bi)  n  ci)). 


Here  it  is  assumed  that  x*T  =  T*x  =  x  +  T  =  T  +  x  =  T  for  x  €  Z  J  and  that 
x*J-  =  A-*x  =  x  +  A-  =  A-  +  x  =  A.  for  x  €  Z  j_.  The  second  case  for  the  combiner 
operator  is  obtained  by  equating  the  terms  ai  *  y  +  b\  and  a2  *  y  +  b2  and  taking  the 
solution  for  y ,  provided  it  is  integral. 

The  control  locations  correspond  to  the  program’s  variables  (and  also  to  A).  Stack 
symbols,  such  as  n 4,  n 5  and  ruj,  correspond  to  nodes  of  the  supergraph. 

With  one  exception,  each  edge  in  the  exploded  supergraph  corresponds  to  one  rule 
of  the  weighted  PDS.  The  encoding  can  be  described  in  terms  of  the  kinds  of  edges  that 
occur  in  the  supergraph. 


A  few  of  the  weighted  PDS’s  rules  for  the  (exploded)  intraprocedural  edges  are  as 
follows: 


Intraprocedural  edges  in  main  Intraprocedural  edges  in  p 


{A:m)  c— >■  (A n2) 

id 

(A,  n4)  (A,  n5) 

id 

(A,m)  ^  (x,n2) 

Xl.5 

(x,  n4)  (x,  n5) 

id 

(A  77.3)  c—^  (A  Xmain) 

id 

(A,  715)  ‘-A  (A,  n6) 

id 

{x:7ls)  c—^  {x^Xmain) 

id 

(x,n5)  ^  (x,n6) 

Xl.l  +  1 

In  a  rule  such  as 

(x,n6)  (x,  n6)  Xl.l  +  1  (1) 

the  second  component  of  each  tuple  implies  that  the  currently  active  procedure  is  p,  and 
the  rest  of  the  stack  is  not  changed. 

At  each  call  site,  each  PDS  rule  that  encodes  an  edge  in  the  exploded  representation 
of  a  call-to-enter  edge  has  two  stack  symbols  on  its  right-hand  side.  The  second  symbol 
is  the  name  of  the  corresponding  return-site  node,  which  is  pushed  on  the  stack: 

Transitions  for  call  site  m  Transitions  for  call  site  n%  Transitions  for  call  site  mi 
(A,  112)  ‘-A  (A,  ep  n%)  Td  (A,  n§)  (A,  ep  nr)  id  (A,  nn)  (A,  ep  7112)  id 

(x,  m)  (x,  ep  m)  id  {x,ng)  (x,ep  nr)  id  {x,nn) {x,ep  n  12)  id 

The  process  of  returning  from  p  is  encoded  by  popping  the  topmost  stack  symbols  off 
the  stack. 

Transitions  to  return  from  p 
(A,  xp)  c->  (A,  e)  id 

( x ,  xp)  c->  (x,  e)  id 

Obtaining  Dataflow  Information  from  the  Exploded  Supergraph’s  Weighted  PDS 

For  linear  constant  propagation,  we  are  interested  in  a  generalized  reachability  problem 
from  configuration  (A,  emain).  Thus,  to  obtain  dataflow  information  from  the  exploded 
supergraph’s  weighted  PDS,  we  perform  the  following  steps: 

-  Define  a  regular  language  R  for  the  configurations  of  interest.  This  can  be  done  by 
creating  an  automaton  for  R ,  and  giving  each  edge  of  the  automaton  the  weight  id. 

-  Apply  Algorithm  1  to  create  a  weighted  automaton  for  pre  *  ( R) . 

-  Inspect  the  pre*(f?)-automaton  to  find  the  transition  A  e,nain  >  accepting  state . 
Return  the  weight  on  this  transition  as  the  answer. 

In  the  following,  we  often  write  {x,  a),  where  a  is  a  regular  expression,  to  mean 
the  set  of  all  configurations  (x,  w)  where  w  is  in  the  language  of  stack  contents  defined 
by  a. 

Example  2.  For  the  query  pre*((x,ep  (m2  nr)*  m)),  the  semiring  value  associated 
with  the  configuration  (A,  emai„)  is  XL 5,  which  means  that  the  value  of  program  vari¬ 
able  x  must  be  5  whenever  p  is  entered  with  a  stack  of  the  form  “ep  (m2  n7 )*  n3 ”i 
i.e.,  main  called  p.  which  then  called  itself  recursively  an  arbitrary  number  of  times, 
alternating  between  the  two  recursive  call  sites. 

A  witness-path  set  for  the  configuration  (A,  emain)  is  a  singleton  set,  consisting  of 
the  following  path: 

Semiring  value  Confi  guration  Rule  Rule  weight 

XI. 5  (A,  emain)  (A.  Cmain  J^A  .  rii)  Id 

XL 5  (A,  m)  (A,  m)  {x,  n?)  Xl.5 

id  (x,n2)  (x,n2)  ^  {x,ep  ns)  id 

id  (x,epn3)  Confi  guration  accepted  by  query  automaton 


Example  3.  One  example  of  a  situation  in  which  the  stack  is  of  the  form 
ep  (ni2  TI7)*  ri3  is  when  main  calls  p  at  712  (n 3);  p  calls  p  at  ri6  (717);  and  finally  p 
calls  p  at  nn  (n  12)-  In  this  case,  the  stack  contains  ep  n\2  777  ns-  As  expected,  for  the 
query  pre*({x,ep  n\2  n-j  ns)),  the  semiring  value  associated  with  the  configuration 
emain)  Is  A/. 5. 

In  this  case,  a  witness-path  set  for  the  configuration  ( A ,  emain)  is  a  singleton  set, 
consisting  of  the  following  path: 


Semiring  value  Conti  guration 

Rule 

Rule  weight 

Mb 

{-^■5  6771am) 

(d,  ^  (A,  77l  ] 

id 

Xl.b 

(A,  Til) 

{A,  77i)  <-»■  (x,T72) 

Mb 

id 

(x,  772) 

(x,  772)  t-7  (x,  ep  ns) 

id 

id 

{x,ep  ns) 

(x, ep)  <->•  (x, 774) 

id 

id 

{x,  774  7*3) 

{x,  774>  '-7  {x,  775) 

(x,  775)  t-7  {x,  776> 

id 

id 

{x,  ns  ns) 

Xl.1  +  1 

Ml  -  1 

{ X ,  Tt6  7t3) 

(x,  776)  t-7  (x,ep  777) 

id 

Ml  -  1 

(x,ep  m  773) 

(x,ep)  t-7  (x,  774) 

(x,  774)  t-7  {x,77g) 

(x,  77g)  t-7  {x,77lo> 

id 

Ml  -  1 

<X,  774  777  773) 

id 

Ml  -  1 

(a;,  779  777  773) 

id 

Ml  -  1 

(x,  77lo  777  773) 

(x,77lo>  '->■  {x,77n> 

Ml  -  1 

id 

(x,  77ll  777  773) 

{x,77n>  t-7  (x,ep  77l2> 

id 

id 

(x,  ep  77i2  t»7  773)  Confi  guration  accepted  by  query  automaton 

Notice  that  the  witness-path  set  for  the  configuration  {A,  emain)  is  more  compli¬ 
cated  in  the  case  of  the  query  pre*((x,  ep  7112  nj  ns))  than  in  the  case  of  the  query 
pre*({x ,  ep  (ni2  TI7)*  713)),  even  though  the  latter  involves  a  regular  operator. 

Example  4.  Conventional  dataflow-analysis  algorithms  merge  together  (via  meet,  i.e., 
ffi)  the  values  for  each  program  point,  regardless  of  calling  context.  The  machinery 
described  in  this  paper  provides  a  strict  generalization  of  conventional  dataflow  analysis 
because  the  merged  information  can  be  obtained  by  issuing  an  appropriate  query. 

For  instance,  the  value  that  the  algorithms  given  in  [14, 22, 26]  would  obtain  for  the 
tuple  (x,ep)  can  be  obtained  via  the  query  pre*((x,ep  (717  -F  7112)*  ns)).  When  we 
perform  this  query,  the  semiring  value  associated  with  the  configuration  {A,  emain)  is 
ALT.  This  means  that  the  value  of  program  variable  x  may  not  always  be  the  same  when 
p  is  entered  with  a  stack  of  the  form  “ep  (717  +  7712)*  ns".  For  this  situation,  a  witness- 
path  set  for  the  configuration  {A,  emain)  consists  of  two  paths,  which  share  the  first  four 
configurations;  the  semiring  value  associated  with  (x.  ep  ns)  is  ALT  =  id  ©  A l.l  —  1: 


Semiring  value  Confi  guration 

Rule 

Rule  weight 

ALT 

{-^•5  6mai7i) 

(A 5  6mam)  C  ^  (4,  77l  ] 

id 

ALT 

(yl,77i) 

(A,  77l)  t-7  (x,  772> 

Mb 

ALT 

ALT 

(x,  772> 

(x,ep  773) 

(x,  772)  t-7  (x,ep  773) 

id 

id 

(x,ep  773) 

Confi  guration  accepted  by  query  automaton 

Ml  -  1 

(x,ep  773) 

(x, ep)  '->■  (x, 774) 

(x ,  774)  t-7  (x,  77g) 

{x,77g>  “-T  (x,77l0> 

id 

A  l.l  -  1 

(x,  774  773) 

id 

A  l.l  -  1 

(x,77g  773) 

id 

A  l.l  -  1 

(x,  77lo  773) 

(x,77lo)  '-7  (x,77n) 

Ml  -  1 

id 

(x,  77ll  773> 

(x,77n)  t-7  (x,ep  7712 ) 

id 

id 

(x,  ep  7712  7*3)  Confi  guration  accepted  by  query  automaton 

The  Complexity  of  the  Dataflow-Analysis  Algorithm 

Let  E  denote  the  number  of  edges  in  the  supergraph,  and  let  Var  denote  the  number 
of  symbols  in  the  domain  of  an  environment.  The  encoding  of  an  exploded  supergraph 
as  a  PDS  leads  to  a  PDS  with  Var  control  locations  and  A  =  E  ■  Var  rules.  If  R 
is  the  regular  language  of  configurations  of  interest,  assume  that  R  can  be  encoded  by 
a  weighted  automaton  with  |Q|  =  .s  +  Var  states  and  t  transitions.  Let  l  denote  the 
maximal  length  of  a  descending  chain  in  the  semiring  formed  by  the  micro-functions. 

The  cost  of  a  pre*  query  to  obtain  dataflow  information  for  R  is  therefore  no  worse 
than  0(s2  ■  Var  ■  E  ■  l  +  Var 3  •  E  ■  l)  time  and  0(s  ■  Var  ■  E  +  Var2  ■  E  +  t)  space, 
according  to  the  results  of  Section  3  and  [8], 

How  Clients  of  Dataflow  Analysis  Can  Take  Advantage  of  this  Machinery 

Algorithm  1  and  the  construction  given  above  provide  a  new  algorithm  for  interprocedu¬ 
ral  dataflow  analysis.  As  demonstrated  by  Examples  2,  3,  and  4,  with  the  weighted-PDS 
machinery,  dataflow  queries  can  be  posed  with  respect  to  a  regular  language  of  initial 
stack  configurations,  which  provides  a  strict  generalization  of  the  kind  of  queries  that 
can  be  posed  using  ordinary  interprocedural  dataflow-analysis  algorithms. 

For  clients  of  interprocedural  dataflow  analysis,  such  as  program  optimizers  and 
tools  for  program  understanding,  this  offers  the  ability  to  provide  features  that  were 
previously  unavailable: 

-  A  program  optimizer  could  make  a  query  about  dataflow  values  according  to  a  pos¬ 
sible  pattern  of  inline  expansions.  This  would  allow  the  optimizer  to  determine — 
without  first  performing  an  explicit  expansion — whether  the  inline  expansion  would 
produce  favorable  dataflow  values  that  would  allow  the  code  to  be  optimized. 

-  A  tool  for  program  understanding  could  let  users  pose  queries  about  dataflow  in¬ 
formation  with  respect  to  a  regular  language  of  initial  stack  configurations. 

The  first  of  these  possibilities  is  illustrated  by  Figure  7,  which  shows  a  transformed 
version  of  the  program  from  Figure  4.  The  transformed  program  takes  advantage  of 
the  information  obtained  from  Example  2,  namely,  that  in  Figure  4  the  value  of  x  is  5 
whenever/;  is  entered  with  a  stack  of  the  form  “ep  (n 1 2  717)*  nf  \  In  the  transformed 
program,  all  calls  to  p  that  mimic  the  calling  pattern  “(7112  n-j)*  713”  (from  the  orig¬ 
inal  program)  are  replaced  by  calls  to  p1 .  In  p1 ,  a  copy  of  p  has  been  Mined  (and 
simplified)  at  the  first  recursive  call  site.  Whenever  the  calling  pattern  fails  to  mimic 
“(ni2  nr)*  713”,  the  original  procedure/;  is  called  instead. 

5  Related  Work 

Several  connections  between  dataflow  analysis  and  model  checking  have  been  estab¬ 
lished  in  past  work  [27, 28, 23, 6],  The  present  paper  continues  this  line  of  inquiry,  but 
makes  two  contributions: 

-  Previous  work  addressed  the  relationship  between  model  checking  and  bit-vector 
dataflow-analysis  problems,  such  as  live-variable  analysis  and  partial-redundancy 
elimination.  In  this  paper,  we  show  how  a  technique  inspired  by  one  developed  in 
the  model-checking  community  [3, 8] — but  generalized  from  its  original  form  [25] — 
can  be  applied  to  certain  dataflow-analysis  problems  that  cannot  be  expressed  as 
bit- vector  problems. 

-  Previous  work  has  used  temporal-logic  expressions  to  specify  dataflow-analysis 
problems.  This  paper’s  results  are  based  on  a  more  basic  model-checking  primitive, 
namely  pre*.  (The  approach  also  extends  to  post* .) 

These  ideas  have  been  illustrated  by  applying  them  to  linear  constant  propagation, 
which  is  not  expressible  as  a  bit-vector  problem. 


int  x; 


void  main ( )  { 
x  =  5; 

P'  0  ; 
return; 

} 

void  p ( )  { 

if  (...)  { 

x  =  x  +  1  ; 
p(); 

x  =  x  -  1  ; 

} 

else  if  (...)  { 
x  =  x  -  1 ; 
p  ( )  ; 

x  =  x  +  1  ; 

} 

return; 

} 


void  p' ( )  { 

if  (...)  { 

if  (...)  {  //  Inlined  call  n6,n7 

x  =  7; 

p  ( ) ;  //  n 6 , n 7 ;  n6, n7 

} 

else  if  (...)  { 

p'  ();  //  n6,n7;  nll,nl2 
}  //  End  inlined  call  n6,n7 

} 

else  if  (...)  { 
x  =  4; 
p  ( ) ; 

} 

x  =  5  ; 
return; 

} 


Fig.  7.  A  transformed  version  of  the  program  from  Figure  4  that  takes  advantage  of  the 
fact  that  in  Figure  4  the  value  of  x  is  5  whenever  p  is  entered  with  a  stack  of  the  form 
“ep  (n  12  n7)*  n3”. 

Bouajjani,  Esparza,  and  Toulli  [4]  independently  developed  a  similar  framework, 
in  which  pre*  and  post*  queries  on  pushdown  systems  with  weights  drawn  from  a 
semiring  are  used  to  solve  (overapproximations  of)  reachability  questions  on  concurrent 
communicating  pushdown  systems.  Their  method  of  obtaining  weights  on  automaton 
transitions  significantly  differs  from  ours.  Instead  of  deriving  the  weights  directly,  they 
are  obtained  using  a  fixpoint  computation  on  a  matrix  whose  entries  are  the  transitions 
of  the  pre*  automaton.  This  allows  them  to  obtain  weights  even  when  the  semiring 
does  have  infinite  descending  chains  (provided  the  extender  operator  is  commutative), 
but  leads  to  a  less  efficient  solution  for  the  finite-chain  case.  In  the  latter  case,  in  the 
terms  of  Section  4,  their  algorithm  has  time  complexity  0(((s  +  Var )  ■  E  -  Var  +  t)2  ■ 
E  -  Var  ■  (s  +  Var )  •  l),  i.e.,  proportional  to  Var6  and  E3.  All  but  one  of  the  semirings 
used  in  [4]  have  only  finite  descending  chains,  so  Algorithm  1  applies  to  those  cases 
and  provides  a  more  efficient  solution. 

The  most  closely  related  papers  in  the  dataflow-analysis  literature  are  those  that 
address  demand-driven  interprocedural  dataflow  analysis. 

-  Reps  [19, 18]  presented  a  way  in  which  algorithms  that  solve  demand  versions 
of  interprocedural  analysis  problems  can  be  obtained  automatically  from  their  ex¬ 
haustive  counterparts  (expressed  as  logic  programs)  by  making  use  of  the  “magic- 
sets  transformation”  [2],  which  is  a  general  transformation  developed  in  the  logic¬ 
programming  and  deductive-database  communities  for  creating  efficient  demand 
versions  of  (bottom-up)  logic  programs,  and/or  tabulation  [29],  which  is  another 
method  for  efficiently  evaluating  recursive  queries  in  deductive  databases.  This  ap¬ 
proach  was  used  to  obtain  demand  algorithms  for  interprocedural  bit-vector  prob¬ 
lems. 


-  Subsequent  work  by  Reps,  Horwitz,  and  Sagiv  extended  the  logic-programming  ap¬ 
proach  to  the  class  of  IFDS  problems  [20] .  They  also  gave  an  explicit  demand  al¬ 
gorithm  for  IFDS  problems  that  does  not  rely  on  the  magic-sets  transformation  [11], 

-  Both  exhaustive  and  demand  algorithms  for  solving  a  certain  class  of  IDE  problems 
are  presented  in  [22],  The  relationship  between  the  two  algorithms  given  in  that 
paper  is  similar  to  the  relationship  between  the  exhaustive  [20]  and  demand  [11] 
algorithms  for  IFDS  problems. 

-  A  fourth  approach  to  obtaining  demand  versions  of  interprocedural  dataflow- 
analysis  algorithms  was  investigated  by  Duesterwald,  Gupta,  and  Soffa  [7],  In  their 
approach,  for  each  query  a  collection  of  dataflow  equations  is  set  up  on  the  flow 
graph  (but  as  if  all  edges  were  reversed).  The  flow  functions  on  the  reverse  graph 
are  the  (approximate)  inverses  of  the  forward  flow  functions.  These  equations  are 
then  solved  using  a  demand-driven  fixed-point-finding  procedure. 

None  of  the  demand  algorithms  described  above  support  the  ability  to  answer  a  query 
with  respect  to  a  user-supplied  language  of  stack  configurations.  As  with  previous  work 
on  dataflow  analysis,  those  algorithms  merge  together  (via  meet,  i.e.,  ©)  the  values  for 
each  program  point,  regardless  of  calling  context.  In  addition,  past  work  on  demand- 
driven  dataflow  analysis  has  not  examined  the  issue  of  providing  a  witness  set  of  paths 
to  show  why  the  answer  to  a  dataflow  query  for  a  particular  configuration  has  the  value 
reported. 

The  IFDS  framework  can  be  extended  with  the  ability  to  answer  a  query  with  re¬ 
spect  to  a  language  of  stack  configurations  by  applying  the  reachability  algorithms  for 
(unweighted)  PDSs  [3, 8]  on  the  graphs  used  in  [20, 1 1];  however,  that  approach  does 
not  work  for  the  more  general  IDE  framework.  This  paper  has  shown  how  to  extend  the 
IDE  framework  to  answer  a  query  with  respect  to  a  language  of  stack  configurations, 
using  our  recent  generalization  of  PDS  reachability  algorithms  to  weighted  PDSs  [25]. 

It  should  be  noted  that,  like  the  algorithms  from  [22],  the  algorithm  for  solving  GPR 
problems  given  in  Section  3  is  not  guaranteed  to  terminate  for  all  IDE  problems;  how¬ 
ever,  like  the  algorithms  from  [22],  it  does  terminate  for  all  copy-constant-propagation 
problems,  all  linear-constant-propagation  problems,  and,  in  general,  all  problems  for 
which  the  set  of  micro-functions  contains  no  infinite  descending  chains.  The  asymp¬ 
totic  cost  of  the  algorithm  in  this  paper  is  the  same  as  the  cost  of  the  demand  algorithm 
for  solving  IDE  problems  from  [22];  however,  that  algorithm  is  strictly  less  general  than 
the  algorithm  presented  here  (cf.  Example  4). 

An  application  of  the  theory  of  PDSs  to  interprocedural  dataflow  analysis  has  been 
proposed  by  Esparza  and  Knoop  [9],  who  considered  several  bit-vector  problems,  as 
well  as  the  faint-variables  problem,  which  is  an  IFDS  problem  [21,  Appendix  A].  These 
problems  are  solved  using  certain  pre*  and  post*  queries.  With  respect  to  that  work,  the 
extension  of  PDSs  to  weighted  PDSs  allows  our  approach  to  solve  a  more  general  class 
of  dataflow-analysis  problems  than  Esparza  and  Knoop’s  techniques  can  handle;  the 
witness-set  generation  algorithm  can  also  be  used  to  extend  their  algorithms.  (Esparza 
and  Knoop  also  consider  bit-vector  problems  for  flow-graph  systems  with  parallelism, 
which  we  have  not  addressed.) 

M'uller-Olm  and  Seidl  have  given  an  interprocedural  dataflow-analysis  algorithm 
that  determines,  for  each  program  point  n,  the  set  of  all  affine  relations  that  hold  among 
program  variables  whenever  n  is  executed  [16].  This  method  can  be  re-cast  as  solving 


5  Logic-programming  terminology  is  not  used  in  [20];  however,  the  exhaustive  algorithm  de¬ 
scribed  there  has  a  straightforward  implementation  as  a  logic  program.  A  demand  algorithm 
can  then  be  obtained  by  applying  the  magic-sets  transformation. 


a  GPR  problem  (with  the  same  asymptotic  complexity).  G.  Balakrishnan  has  created  a 
prototype  implementation  of  this  method  using  the  WPDS  library  [24]. 

Model  checking  of  PDSs  has  previously  been  used  for  verifying  security  proper¬ 
ties  of  programs  [10, 12,5],  The  methods  described  in  this  paper  should  permit  more 
powerful  security-verification  algorithms  to  be  developed  that  use  weighted  PDSs  to 
obtain  a  broader  class  of  interprocedural  dataflow  information  for  use  in  the  verification 
process. 
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A  Generation  of  Witness  Sets 


Section  3.3  gives  an  efficient  algorithm  for  determining  (5(c);  this  section  addresses  the 
question  of  how  to  obtain  ui(c).  It  may  help  to  think  of  this  problem  as  that  of  examining 
an  infinite  graph  Q  whose  nodes  are  pairs  (c,  d),  where  c  is  a  configuration  and  d  a  value 
from  D,  and  in  which  there  is  an  edge  from  (ci,  d\)  to  (C2,  cfe)  labeled  with  r  €  A  if 
and  only  if  Ci  C2  and  /(r)  ®  (fe  =  d\.  For  a  given  configuration  c,  finding  u>(c) 
means  identifying  a  set  of  paths  ai, ...  ,a/.  such  that  path  up  1  <  i  <  k,  leads  from 
some  ( c,di )  to  some  (cj,  1),  where  c*  €  C,  and  0*=1  di  =  5(c).  In  other  words, 
w(c)  =  {ay, . . . ,  (Tfe)  proves  that  <5(c)  really  has  the  value  computed  by  Algorithm  1. 
We  note  the  following  properties: 


-  In  general,  k  may  be  larger  than  1,  e.g.,  we  might  have  a  situation  where  <5(c)  = 
d\  ffiefe  because  of  two  paths  with  values  d\  and  cfe,  but  there  may  be  no  single  path 
with  value  d\  ©  (fe. 

-  We  want  to  keep  ui(c)  as  small  as  possible.  If  a  witness  set  contains  two  paths  a i 
and  (72,  where  v(cti)  C  v(o2),  then  the  same  set  without  CT2  is  still  a  witness  set. 
Like  5(c),  ui(c)  will  be  given  indirectly  in  the  form  of  another  annotation  (called 

n)  on  the  transitions  of  Apre *■  We  use  two  data  structures  for  this,  called  wnode  and 
wstruc.  If  t  is  a  transition,  then  n(t)  holds  a  reference  to  a  wnode.  (We  shall  denote  a 
reference  to  some  entity  e  by  [e] .)  A  wnode  is  a  set  of  wstruc  items.  A  wstruc  item  is 
of  the  form  (d,  [t],  [r],  N)  where  d  €  D,  [f]  is  a  reference  back  to  t,  r  €  A  is  a  rule. 


Algorithm  2 

1  procedure  update(t,  r,  T ) 

2  begin 

3  — t  :=  — y  U  -(f}; 

4  d:=/(r)®J(T(l))®...®/(T(|T|)); 

5  s  :=  (d,  [f],  [r],(n(t')  \  f'  €  T)); 

6  if  /(f)  C  d  then  return; 

7  if  n(f)  =  nil  or  d  C  /(f)  then 

8  create  n  :=  {s}; 

9  else 

10  create  n  :=  minimize(S  U  {s}),  where  n(t)  =  [5]; 

11  n(t)  :=  [n]; 

12  /(f)  :=  l(t)  ®  d; 

13  workset  :=  workset  U  {f} 

14  end 

Fig.  8.  Modified  update  procedure. 

and  N  contains  a  sequence  of  references  to  wnode s.  References  may  be  nil,  indicating 
a  missing  reference. 

We  can  now  extend  Algorithm  1.  The  idea  is  that  during  execution,  if  nit)  =  [5], 
then  /(f)  =  ©(d,[t],[r],jv)es^-  An  item  W  N)  in  S  denotes  the  following:  Sup¬ 

pose  that  Apre  >  has  an  accepting  path  starting  with  f,  and  c  is  the  configuration  accepted 
by  this  path.  Then,  in  the  pushdown  system,  there  is  a  path  (or  rather,  a  family  of  paths) 
with  value  d  from  c  to  some  c'  €  C,  and  this  path  starts  with  r.  An  accepting  path  (in 
Apre*)  for  a  successor  configuration  can  be  constructed  by  replacing  f  with  the  transi¬ 
tions  associated  with  the  wnode s  in  N . 

The  concrete  modifications  to  Algorithm  1  are  as  follows;  In  line  8,  set  n  =  nil.  In 
line  9,  create  a  wnode  n  :=  {(1,  [f],  nil,  ())}  for  every  f  €  —>o  and  set  n(f)  :=  [n\. 

Figure  8  shows  a  revised  update  procedure.  Line  4  of  Figure  8  computes  the  newly 
discovered  value  for  transition  f,  and  line  5  records  how  the  new  path  was  discovered. 
In  line  6,  if  /(f)  C  (/,  the  update  will  not  change  /(f)  and  nothing  further  needs  to 
be  done.  If  d  IZ  /(f)  (see  line  8),  the  new  addition  is  strictly  smaller  than  any  path 
to  f  so  far,  and  n(t)  only  has  to  reference  the  new  path.  If  d  and  /(f)  are  incomparable, 
line  10  creates  a  new  set  consisting  of  the  previous  paths  and  the  new  path.  Even  though 
d  is  incomparable  to  /(f),  d  might  approximate  (□)  one  or  more  elements  of  S.  The 
procedure  minimize  (not  shown)  removes  these. 

It  is  fairly  straightforward  to  see  that  the  information  contained  in  S  allows  the 
reconstruction  of  a  witness  set  involving  f  (see  above).  Moreover,  every  wnode  cre¬ 
ated  during  execution  contains  references  only  to  wnode s  created  earlier.  Therefore,  the 
process  of  reconstructing  the  witness  set  by  decoding  wnode/wstruc  information  must 
eventually  terminate  in  a  configuration  from  C. 

During  execution  of  the  modified  algorithm,  several  wnode s  for  the  same  transition  f 
can  be  created;  only  one  of  them  is  referenced  by  f  at  any  moment,  although  the  other 
wnode s  may  still  be  referenced  by  other  transitions.  A  garbage  collector  can  be  used  to 
keep  track  of  the  references  and  remove  those  nodes  to  which  there  is  no  longer  any 
chain  of  references  from  any  transition. 


